I've dived into the murky, two-colored waters of Kerberos on MacOS SL and Lion. Our installation works, but the tickets are issued without the Renewable and Forwardable flags, which complicate usage with Linux. I needed to find a way to config the Kerberos Client on the Macs….
After a lot of searching, I've found that Snow Leopard clients with network users read an Open Directory config entry and uses it as its krb5.conf
This entry is (seen from the OD host (SL Server)):
/LDAPv3/127.0.0.1/Config/KerberosClient/XMLPlist
You can edit this list with the Inspector tab in your Workgroup Manager (again SL). The entry is formatted as an XML file, but you'll see the similarities to a normal krb5.conf right away.
Don't forget to increment the GenerationID at the end of the XML to apply changes on your clients. The entries should be applied on the next login but you can enforce the sync by using the tool "kerberosautoconfig". Add the parameter "-v 4" to it to get some feedback:
$> sudo kerberosautoconfig -v 4
Alternatively, you can copy a regular krb5.conf file to the file /Library/Preferences/edu.mit.Kerberos.
Lion Clients ignore the entry in the OD. They hilariously still accept the edu.mit.Kerberos file, even though Lion uses Heimdal Kerberos instead of the MIT flavor. Lion is missing the "kerberosautoconfig" tool as well, but the SL version still runs on Lion. Get the file from somewhere and copy it to "/sbin/".
You can generate a local "/Library/Preferences/edu.mit.Kerberos" file by running:
$> sudo kerberosautoconfig -f /LDAPv3/<yourODhost> -v 4
The configuration does not refresh by itself, so you need to run this again if something changed.
I still have a lot to learn about Kerberos on Mac, I'll keep you posted.
Keine Kommentare:
Kommentar veröffentlichen